Re: SSH resources, specifically on certificates (certificate authentication)

To: debian-user@lists.debian.org
Subject: Re: SSH resources, specifically on certificates (certificate authentication)
From: Dan Purgert <dan@djph.net>
Date: Wed, 13 Jul 2022 20:04:01 -0400
Message-id: <[🔎] Ys9dcYqgcdUdwa3f@framework.djph.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] Ys9RQWv8YxoXyQBV@axis.corp>
References: <[🔎] 202207131611.34155.rhkramer@gmail.com> <[🔎] Ys9J0rBLl7JIjKfS@framework.djph.net> <[🔎] Ys9RQWv8YxoXyQBV@axis.corp>

On Jul 13, 2022, David Wright wrote:
> On Wed 13 Jul 2022 at 18:40:18 (-0400), Dan Purgert wrote:
> > On Jul 13, 2022, rhkramer@gmail.com wrote:
> > > I seem to have gone down a rabbit hole.
> > > 
> > > I want(ed?) to set up ssh on my LAN using certificate authentication, and am 
> > > having a lot of trouble finding the information I need / would like to have.
> > 
> > Which is what, exactly?  Other than the "active mailing list" you
> > mentioned in a snipped segment.
> > 
> > SSH with cert-auth is pretty trivial to implement on most distros:
> > 
> > 1. install openssh-server (if not already installed) on SERVER (the
> > machine you will connect to)
> > 2. on the CLIENT (machine you will connect from), run ssh-keygen to
> > generate a new ssh keypair.  For example --  ssh-keygen -t ed25519 -f
> > keyfile -- will generate a new ED25519-based keypair ("keyfile" and
> > "keyfile.pub").
> > 3. copy the content of keyfile.pub to $HOME/.ssh/authorized_keys on the
> > SERVER machine
> > 4. try logging into SERVER with your key (e.g. ssh -i keyfile
> > user@SERVER) 
> > 
> > For "best security" repeat steps 2-4 on all CLIENT machines to create
> > individual client keys -- just make sure to APPEND to authorized_keys.
> 
> That's what I do, but that's /key/ authentication, not cert.
> (Search for "certificate" in   man ssh-keygen   to see what's
> involved with certificates.) I'm afraid I'm not up to speed
> on that topic.

*sigh* indeed, I crossed my thinking. :(

Should be basically the same -- at least the manpages for ssh and
ssh-keygen cover it pretty well...

 ssh-keygen -s /path/to/ca -I keyid /peth/to/user_public

sshd apparently needs a "cert-authority" parameter set at start-time, so
that it knows the signing CA for the certs, and then you (apparently)
configure authorized_keys in the same manner.  

I've never seen this implemented in any place I've worked in
the last 2 decades (granted, I "only" have said 2 decades of
"professional" experience); rather they've always used either (a) keys,
or (b) password + RSA Token (or other 2FA / TOTP mechanism)

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: SSH resources, specifically on certificates (certificate authentication)
  - From: Dan Ritter <dsr@randomstring.org>

References:
- SSH resources, specifically on certificates (certificate authentication)
  - From: rhkramer@gmail.com
- Re: SSH resources, specifically on certificates (certificate authentication)
  - From: Dan Purgert <dan@djph.net>
- Re: SSH resources, specifically on certificates (certificate authentication)
  - From: David Wright <deblis@lionunicorn.co.uk>

Prev by Date: Re: SSH resources, specifically on certificates (certificate authentication)
Next by Date: Re: avahi-daemon allow/deny interfaces question
Previous by thread: Re: SSH resources, specifically on certificates (certificate authentication)
Next by thread: Re: SSH resources, specifically on certificates (certificate authentication)
Index(es):
- Date
- Thread